DevOps, Security Struggle with Integration as Stress Levels Rise
Tight timelines and innovation pressures for those on the front lines of development are leading to many organizations frequently completing projects without carrying out all security steps, according to a survey.
The Invicti Security survey included responses from 600 executives and hands-on-keyboard practitioners across security, development and DevOps spanning more than 20 industries.
Additionally, integration into the software development life cycle (SDLC) is lacking, with only 20% reporting they have fully shifted left.
The results also revealed 78% of respondents say their stress levels went up in the last year and an average of 73% thought about quitting their jobs because of security-related pain points.
That number was even higher—81%—among DevOps professionals, likely because they are accountable for both on-time delivery of new features and the coordination of security and quality fixes.
Release Fast or Die
Mark Ralls, president and COO of Invicti, explained developers often live by the “release fast or die” mentality, which can too easily lead to skipped or missed security steps that increase the risk to an organization.
“Whether they’re putting that pressure on themselves to be more agile while working from home or the push for innovation is coming from up top, developers and security professionals are feeling the heat,” he said.
Backlogs, false positives, lack of clear prioritization and misalignment within teams all compound this pressure and create friction between what are often already-siloed departments.
“Add in a layer of remote work causing extra barriers in effective collaboration, communication, and process, and it becomes clear why so many developers struggle to find that sweet spot between speed and secure innovation – especially when their organizations don’t offer up the right tools and processes for their workflows,” he said.
Ralls explained when orgs shift security “left” so that it covers earlier stages of the software development life cycle (SDLC), doing so can uncover gaps in coverage that, if left unchecked, end up living in the “messy middle.”
This is the area where security is considered important but is kept separate from the development process, making it easier for flaws to slip through the cracks.
“These issues stem from a variety of places; sometimes organizations are too overwhelmed with trying to secure all their web apps and so they end up hyper-focusing on one or two areas, creating blind spots,” he said. “Other times, integrating security more deeply comes down to adoption and ease of use; wherever possible, leadership should look for areas where automation can play a role in eliminating tedious manual processes.”
Ralls pointed out there are other efforts that can help make security integration and adoption smoother, like implementing a ‘security champions’ program to rally the individuals within an organization who are the most passionate and vocal about security.
The survey data indicated that an overwhelming majority (76%) of security and development team members consider their counterparts to be “family” or “besties” at work.
“There’s a myth that developers and security professionals are enemies,” Ralls said. “And while there still seem to be some lingering questions about exactly who owns security at an organization, the vast majority of respondents said that both teams share accountability for the results.”
Still, developers say they spend half of their time chasing security issues that delay delivery timelines quite significantly.
Ralls said that’s an area where the shift left model, when implemented fully with automation, can help drive changes in how security and development work together.
“Today, a developer’s tools need to work harder, smarter and faster if they want to keep up with modern threats and shifting priorities,” he said.
Automation of time-consuming and stress-inducing tasks makes it easier to embed security earlier in the software development process so that developers are creating more secure apps, faster.
A Cultural Shift
He said there is also a cultural shift that comes from the top down.
“When leadership fully embraces the notion that security should be an inherent part of good innovation and promotes security best practices, the entire organization falls in line and takes those best practices as policy,” Ralls said.
Nearly all survey respondents agreed that they can’t properly hit their AppSec testing and remediation goals without adding more integration to the mix.
That includes automated tools in place to test and remediate security issues faster than ever, as well as artificial intelligence and machine learning advancements that have the potential to improve these processes even further.
Over three-quarters of AppSec professionals say they are either “always” or “frequently” performing manual verification of flaws, which Ralls called a “huge time-waster.”
He said automated efforts would be the future of seamless cybersecurity, and the survey suggested DevOps pros agree: 35% said that automation and machine learning are their biggest sources of optimism for the future.
Ralls explained that machine learning holds the promise of bringing additional context to the scanning process and eliminating the need to understand the “alphabet soup” of application security testing technologies.
“The tools will run the right type of scan based on the application type and context,” he said. “That brings improved efficiency, easier prioritization and discovery of behaviors or meta-trends that provide even deeper insight as new threats emerge.”
